CVE-2021-21345

Published: Mar 23, 2021Modified: May 23, 2025

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: NVD

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Affected (40)

Products: Netapp: Oncommand Insight · Apache: Activemq, Jmeter · Xstream: Xstream · +3 more

Show all products

1 product

2 products

1 product

1 product

1 product

10 products

Banking Enterprise Default Management

Banking Platform

Banking Virtual Account Management

Business Activity Monitoring

Communications Billing And Revenue Management Elastic Charging Engine

Communications Policy Management

Communications Unified Inventory Management

Peoplesoft Enterprise Peopletools

Retail Xstore Point Of Service

Webcenter Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Insight	All versions

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Before 5.15.14
Apache Activemq	Version 5.16.0
Apache Activemq	Version 5.16.1
Apache Jmeter	Before 5.5

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Before 1.4.16

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration F

28 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Enterprise Default Management	Version 2.10.0
Oracle Banking Enterprise Default Management	Version 2.12.0
Oracle Banking Platform	Version 2.12.0
Oracle Banking Platform	Version 2.4.0
Oracle Banking Platform	Version 2.7.1
Oracle Banking Platform	Version 2.9.0
Oracle Banking Virtual Account Management	Version 14.2.0
Oracle Banking Virtual Account Management	Version 14.3.0
Oracle Banking Virtual Account Management	Version 14.5.0
Oracle Business Activity Monitoring	Version 11.1.1.9.0
Oracle Business Activity Monitoring	Version 12.2.1.3.0
Oracle Business Activity Monitoring	Version 12.2.1.4.0
Oracle Communications Billing And Revenue Management Elastic Charging Engine	Version 12.0.0.3.0
Oracle Communications Policy Management	Version 12.5.0
Oracle Communications Unified Inventory Management	Version 7.3.2
Oracle Communications Unified Inventory Management	Version 7.3.4
Oracle Communications Unified Inventory Management	Version 7.3.5
Oracle Communications Unified Inventory Management	Version 7.4.0
Oracle Communications Unified Inventory Management	Version 7.4.1
Oracle Peoplesoft Enterprise Peopletools	Version 8.58
Oracle Peoplesoft Enterprise Peopletools	Version 8.59
Oracle Retail Xstore Point Of Service	Version 16.0.6
Oracle Retail Xstore Point Of Service	Version 17.0.4
Oracle Retail Xstore Point Of Service	Version 18.0.3
Oracle Retail Xstore Point Of Service	Version 19.0.2
Oracle Webcenter Portal	Version 11.1.1.9.0
Oracle Webcenter Portal	Version 12.2.1.3.0
Oracle Webcenter Portal	Version 12.2.1.4.0

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.